Hi, “I’ve encountered a vulnerability with session management in my application. The AUTH_SESSION_ID cookie retains the same value pre and post-authentication. This persistent session ID could potentially expose users to session fixation attacks. How can i change the AUTH_SESSION_ID before and after login.
Is this even a problem?
If you think it is a vulnerability, please report it, along with a demonstration of an exploit, according to Keycloak’s security policy GitHub - keycloak/keycloak: Open Source Identity and Access Management For Modern Applications and Services
Can we expire AUTH_SESSION_ID?
Sounds like you think you have found a vulnerability. Please report it to the Keycloak maintainers at the link above…